Read past the headlines – Firefox is fixed faster

Secunia released a report this week that discusses a few aspects of the security landscape for 2007. Techworld ran a story based on this report with this headline: “Red Hat and Firefox more buggy than Microsoft.” While the headline is misleading, the Techworld article actually tells an interesting story.

Counting security vulnerabilities to compare the security of different software projects is flawed. It is only a useful metric if you are comparing a project to itself over time. I’ve discussed this topic here and here. It’s even more ridiculous to try and compare an open source bug count to a closed source project because you can see all the bugs in an open source project. You can only see the publicly found security issues for a closed source product, like Internet Explorer.

So what is interesting in the Techworld article is the measures of real risk to users:

“‘[Z]ero-day’ security bugs in Firefox were patched more quickly than in Microsoft Internet Explorer…”

“[I]n an examination of zero-day flaws – reported by third parties before a patch was available – Secunia found that Firefox tended to get more patches, sooner, compared to IE.”

“Out of eight zero-day bugs reported for Firefox in 2007, five have been patched, three of those in just over a week. Out of 10 zero-day IE bugs, only three were patched and the shortest patch time was 85 days.”

At Mozilla we work as hard as we can to ship fixes as soon as possible to minimize the exposure to our users. It is great to see that the efforts we are making to minimize risk to users are paying off.

“Counting security vulnerabilities to compare the security of different software projects is flawed.”

Do you mean that to compare the number of vunerabilities in BIND and in DJBDNS is useless? To compare Qmail vulnerabilities to Sendmail is useless? To compare WU-ftp vulnerabilities to vsftp is useless?

“It’s even more ridiculous to try and compare an open source bug count to a closed source project because you can see all the bugs in an open source project.”

So maybe Mozilla should release a report stating what vulnerabilities are found internally and externally. How many of that 64 Mozilla vunerabilities were found internally? Subtract that from the total and compare this number to IE. Now you are comparing apples to apples.

“So what is interesting in the Techworld article is the measures of real risk to users”

There’s actually NO risk for IE users due to that 10 IE vunlerabilities in Secunia’s report. They are all “not critical” or “less critial”.

I keep hearing/reading about how Firefox is the most secure browser. While I am not disputing this assertion, I certainly have some reservations about FF. First, when I download FF, I can’t figure out where to validate the download via md5 or sha1. Are these hash values even available to help verify that I got an authentic version of FF? If they are available, why do you insist on “hiding” them. There should be a link to the secure hash values on the very same page as the link to download FF. I should not have to do a web search to find such info. The URL I went to to D/L FF is http://www.mozilla.com/en-US/firefox/
No where on this page is a link to a secure hash. Clicking the D/L lin takes me to the following URL:http://www.mozilla.com/en-US/products/download.html?product=firefox-2.0.0.11&os=linux&lang=en-US
No where on this page is a link to a secure hash.

I had an older version of FF and did Help->check for updates. I had a packet sniffer running while the updates were being performed. Two IP addresses from which I received a ton of data from while doing the update were 203.200.188.111 and 205.188.226.54. Running whois tells me that 203.200.188.111 belongs to “Asian Pacific Network Information Center” and 205.188.226.54 belongs to AOL. Why would I be getting FF updates from these two entities? How do I verify that I don’t have a rogue program that looks & feels like FF?

Hi Firefox. I am on the Internet since 1995! I have used Internet Explorer for the first 3/5 years, then Netscape 3, that was in 1996. Then Neoplanet, Opera and now Firefox. What a plesure working with Firefox.
Started only in 1998 with Norton Virus scanner! Now using Trend-Micro for the past 5 years!

The upgrades of Firefox are more frequently than IP!

Thanks a lot from Newcastle, South Africa.
Ps, first 9 years using the Net in the Netherlands.

zEbulon NC USA Since 01-01-09, an adware trojan selling “security” and pc “cleaning” software in bad English came thru F-secure of Embarq.com and Windows Defender and Firefox security and planted a disruptive program that keeps you from using pc normally as it generates a fake security warning msg window on top of whatever you are in, requirng Xing it out or clickng on, which redirx you to a website selling their software. They copied all the windows warning symbols, red shields with white x, the triangle with xclamation point, etc, and neither windows nor embarq nor MS were willing to go after this, they state such “adware” should be left alone. The scanning that Fsecure and Defender do to “find” such malware resulted in fouling of pc memory with timeouts, errors, requests for authenticaation, errors that exceeded….so we were unable to reconnect to internet. It took 4 techs and 3 days to get one that found the problem’s source and cleared it out, in the arp cache, and reset the TCP-IP addresses which had been mis-set by something or other. The security “dept” at MS said to “give it a week” and perhaps they would come up with a fix. Is this what Firefox and Mozilla do? I don’t put any monetary info on my pc and have a very level headed 18 yr old here who has no interest in the junk that the world wants to hook her with, but no one wants an unusable pc and loss of internet that they are paying for. Since I am very low level proficient and conversant in pc-speak, I would appreciate a generous, patient recommendation of where else I can get feedback when we have pc security issues. MS and Windows only talk about keeping little ones safe from bad pictures and creeps, but there is so much more to be safe from, from the corporate salesmen invading this livewire billboard in everyone’s homes, offices, dorms, etc. I especially would like guidance, beforehand, on wireless routing for a laptop and setting up a network, inhome, for a network of 2 laptops off of one desktop, and how to do this without letting in adware, malware, riskware, or any other unwanted invaders. thanks so much and peace and love to all the world, we are all alive right now, here, together, for such short times, and so different, yet all living with the same brains, understanding languages that say the same things that our brains understand, loving and enjoying family, friends, pets, wild things and beautiful beaches, the great sky and mountains, plains and the song of the desert breeze, the smell of lush fields, our children’s laughter, and our longings for children or lovers and for God’s touch and the reassurance that fearsome things will stop when the shooting starts and the children scream and old men, too ill or weak to run, moan and look away, who among us really wants to hate, to hurt….please give someone some time and your loving attention, and how rewarded you will be to see the balm your kindness, your charity, is to another life. I pray everyday that these fabulous inventions, these pcs, the satellite broadcasts, that they will be used to tie together our strengths and our hearts, with new determination to resist the corporate forces that want to pervert the pc and internet as sales tools, and the regular media’s total destruction by brainwashers and political moguls to redirect our thoughts, and censor all the news until we are all petty, controlled consumer wage-slaves, owing more than we make to the company store. pls tell me if RegCure is also adware or a legit pc cleaner. thanks fastmari zEbulon NC USA